Originally published on the Barracuda Blog, February 7, 2019, by Olesia Klevchuk 

 

Tax season in the U.S. is upon us, and companies are already working on compiling and distributing the W-2 forms and other tax-related information to prepare for filing.  As you may have guessed, the criminals are also thinking about tax season and working out ways to steal your identity, sensitive information, and hard-earned tax refunds.

“If a W-2 attack is successful, the victim may suffer multiple incidents of identity theft due to the data being sold to other criminals via the dark web.”

Why the W-2 form?

The W-2 tax form is a responsibility of every employer engaged in a trade or business that pays for services performed by an employee, and nearly every employee in the United States receives one of these each year.  These W-2 forms detail the employee’s name, address, Social Security Number, wages, tax deductions, and other personal information.  Cybercriminals and tax scammers want this information so they can steal your identity, file fraudulent tax returns or sell it on dark web.   With your W-2 in hand, these criminals can generate multiple streams of income from a single identity.  There are details here if you’d like to learn more about W-2 forms

Recent research found that personally identifiable information, or PII scams,  represent approximately 12% of all email attacks studied for this Barracuda Threat Spotlight on Business Email Compromise (BEC).  These scams are often directed at departments like Human Relations, Finance, and Payroll because they have access to tax information.

W-2 scams are very effective and the number of people reporting this attack continues to grow.  Internal Revenue Service reports more than 200 employers were victimized in 2017, which translates into hundreds of thousands of employees who had their identities compromised.

How the attack works

Attackers are already targeting your organizations and we are seeing a spike in their activities. Here’s an example from early January that was captured by our system:

These attacks usually follow the same pattern with three distinct steps.

Impersonation
W-2 scams are a form of Business Email Compromise attack where the criminals impersonate executives or other business authorities to request W-2 forms. Scammers will often use domain spoofing or display name spoofing in their attempt to impersonate. These attacks may also originate from already compromised email accounts, making them even more difficult to detect with traditional email security.

Request
These attacks contain requests for W-2 forms and often include a sense of urgency to put additional pressure on the recipient. Most W-2 email scams contain no malicious attachments or URLs and come from high reputation senders. Traditional email security that relies on blacklists, signatures, URL protection and sandboxing technologies will often miss this attack and allow it to be delivered to a user’s inbox.

Data Loss
If the attack is successful, the data is sent to the criminal and will be used for identity theft, including fraudulent tax refunds.  Because the data can also be sold on the dark web, the victim may suffer multiple incidents of identity theft. Organizations that discover W-2 scams often offer to pay for employees Identity Theft Protection services encountering tens of thousands of dollars in unexpected costs.

Prevention
Preventing this type of attack requires the right technology and user security training.

After an attack

If you have fallen victim to a W-2 scam, immediately report the incident to the IRS here.  Advise your employees and launch an internal investigation to find the extent of the breach.  It’s possible that the W-2 scam is part of a larger attack that has gone undetected.

Identify all recipients of fraudulent emails and look for additional compromised accounts in the process.  Remove the malicious emails as you find them, and update your security by adding the sender to your blacklist to block future attacks.    Barracuda Forensics and Incident Response can help automate this process.

Share